Hi Mbed TLS team,

 

I would like to ask whether Mbed TLS could publish security advisories in a machine-readable format, for example GitHub Security Advisories or OSV.

 

Security fixes are currently visible in release notes and documentation before they appear in NVD/GHSA/OSV. This creates a detection gap for automated vulnerability scanners such as Dependency-Track, because they rely on structured advisory data with affected versions, fixed versions, and identifiers such as CPE, PURL, or Git ranges.

 

For example, when a security release is available, Dependency-Track may not alert until the corresponding CVE or advisory appears in one of its vulnerability data sources. This can delay automated remediation even though a patched Mbed TLS version is already released.

 

Would the project consider publishing machine-readable advisories at release time, or is there already a preferred process for this?

 

Thanks!

 

 

Nils Schlegelmilch

Development

 

Phone   +49 7836 50-9883

E-Mail     n.schlegelmilch@vega.com

VEGA Grieshaber KG | Am Hohenstein 113 | 77761 Schiltach | Germany

 

 

Unsere Datenschutzhinweise und somit auch die Informationen gem. Art. 13 DSGVO finden Sie im Internet unter www.vega.com/datenschutz

VEGA Grieshaber KG

Kommanditgesellschaft mit Sitz in Wolfach
Registergericht: Freiburg HRA 680 687

Persönlich haftende Gesellschafter:
Isabel Grieshaber
Grieshaber Holding GmbH
Sitz: Wolfach
Registergericht: Freiburg HRB 680 271

Geschäftsführer:
Isabel Grieshaber, Markus Kniesel

USt.-Id.-Nr.: DE143030199